Oracle Releases January 2025 Patch to Address 318 Flaws Across Major Products

Oracle is urging customers to apply its January 2025 Critical Patch Update CPU to address 318 new security vulnerabilities spanning its products and services. The most severe of the flaws is a bug in the Oracle Agile Product Lifecycle Management PLM Framework CVE-2025-21556, CVSS score: 9.9 that...

CVE-2024-57933

CVE-2024-57933 (Linux kernel, GVE/XDP/XSK) : The issue arises from races around XSK/XDP queue existence. The patch adds guards to XSK operations and XDP xmit/NDO paths based on queue existence and interface state, preventing crashes when interfaces go down or queues disappear during operation. It...

Azul Zulu Java Vulnerability (2025-01-21)

The version of Azul Zulu installed on the remote host is 11 prior to 11.77.14 / 17 prior to 17.55.14 / 21 prior to 21.39.14 / 23 prior to 23.32.12. It is, therefore, affected by a vulnerability as referenced in the 2025-01-21 advisory. Note that Nessus has not tested for this issue but has instea...

Oracle Critical Patch Update Advisory - January 2025

A Critical Patch Update is a collection of patches for multiple security vulnerabilities. These patches address vulnerabilities in Oracle code and in third party components included in Oracle products. These patches are usually cumulative, but each advisory describes only the security patches add...

PT-2025-1257 · Oracle · Oracle Agile Plm Framework

Name of the Vulnerable Software and Affected Versions: Oracle Agile PLM Framework version 9.3.6 Description: The issue is related to insufficient input validation in the Agile Integration Services component, allowing a low-privileged attacker with network access via HTTP to compromise the Oracle...

Fedora 40 : stb (2025-49e8952aab)

The remote Fedora 40 host has a package installed that is affected by a vulnerability as referenced in the FEDORA-2025-49e8952aab advisory. Add another patch for the root cause of CVE-2021-45340. We already have a patch for CVE-2021-45340, but adding this new patch may prevent a related, unproven...

PT-2025-2692

Name of the Vulnerable Software and Affected Versions Google Go versions up to 1.22.10/1.23.4 Description A certificate with a URI which has an IPv6 address with a zone ID may incorrectly satisfy a URI name constraint that applies to the certificate chain. Certificates containing URIs are not...

CVE-2025-21171 .NET Remote Code Execution Vulnerability

...

PT-2025-3553 · Jeewms · Jeewms

Name of the Vulnerable Software and Affected Versions: JeeWMS versions prior to 2025.01.01 Description: The issue is related to a permission bypass in the component /interceptors/AuthInterceptor.cava. This component is part of the JeeWMS system, and the bypass could potentially allow unauthorized...

Security Advisory EPM January 2025 for EPM 2024 and EPM 2022 SU6

Update Regarding Ivanti EPM Endpoint Manager Downloads As part of our ongoing efforts to enhance your experience and streamline our processes we have migrated the software downloads from the Ivanti Community to the Ivanti License System ILS. You will continue to use your current Ivanti Single...

CVE-2024-47809 dlm: fix possible lkb_resource null dereference

In the Linux kernel, the following vulnerability has been resolved: dlm: fix possible lkbresource null dereference This patch fixes a possible null pointer dereference when this function is called from requestlock as lkb-lkbresource is not assigned yet, only after validatelockargs by calling...

PT-2025-1073

Name of the Vulnerable Software and Affected Versions Junos OS SRX Series versions prior to 21.4R3-S8 Junos OS SRX Series versions 22.2 through 22.2R3-S5 Junos OS SRX Series versions 22.3 through 22.3R3-S3 Junos OS SRX Series versions 22.4 through 22.4R3-S2 Junos OS SRX Series versions 23.2 throu...

GHSA-R5VF-WF4H-82GG matrix-sdk-crypto missing facility to signal rotation of a verified cryptographic identity

Impact Versions of the matrix-sdk-crypto Rust crate before 0.8.0 lack a dedicated mechanism to notify that a user's cryptographic identity has changed from a verified to an unverified one, which could cause client applications relying on the SDK to overlook such changes. Patches matrix-sdk-crypto...

CVE-2024-56657

In the Linux kernel, the following vulnerability has been resolved: ALSA: control: Avoid WARN for symlink errors Using WARN for showing the error of symlink creations don't give more information than telling that something goes wrong, since the usual code path is a lregister callback from each...

CVE-2024-56657

CVE-2024-56657 relates to the Linux kernel ALSA: control path where WARN() was used for symlink creation errors. The fix downgrades these warnings to dev_err() and adds the function name to the prefix to reduce confusion (notably for fuzzers). This is a patch-level remediation described in Azure ...

PT-2024-14027 · Ibm · Ibm Storage Defender - Resiliency Service

Name of the Vulnerable Software and Affected Versions: IBM Storage Defender - Resiliency Service versions 2.0.0 through 2.0.9 Description: The issue could allow a privileged user to obtain highly sensitive user credentials from secret keys that are stored in clear text. Recommendations: For...

PT-2024-9739

Name of the Vulnerable Software and Affected Versions: GFI Kerio Control versions 9.2.5 through 9.4.5 Description: An issue was discovered in GFI Kerio Control where the dest GET parameter passed to the "/nonauth/addCertException.cs", "/nonauth/guestConfirm.cs", and "/nonauth/expiration.cs" pages...

PT-2024-17232 · WordPress · Eveeno

Name of the Vulnerable Software and Affected Versions: Eveeno plugin for WordPress versions up to, and including, 1.7 Description: The issue is related to Stored Cross-Site Scripting via the plugin's 'eveeno' shortcode due to insufficient input sanitization and output escaping on user-supplied...

CVE-2024-55652 PwnDoc Server-Side Template Injection vulnerability - Sandbox Escape to RCE using custom filters

PenDoc is a penetration testing reporting application. Prior to commit 1d4219c596f4f518798492e48386a20c6e9a2fe6, an attacker can write a malicious docx template containing expressions that escape the JavaScript sandbox to execute arbitrary code on the system. An attacker who can control the...

Security update for nodejs20

This update for nodejs20 fixes the following issues: CVE-2024-21538: Fixed regular expression denial of service in cross-spawn dependency bsc1233856 Other fixes: - Updated to 20.18.1: Experimental Network Inspection Support in Node.js Exposes X509VFLAGPARTIALCHAIN to tls.createSecureContext New...